Shocked? Hacking Voting Machines is ‘Easy’ According to Experts

I’m not shocked. The DEF CON cybersecurity conference brought in 30 voting machines for attendees to play with. How many were hacked?


“It took me only a few minutes to see how to hack it,” said security consultant Thomas Richards, glancing at a Premier Election Solutions machine currently in use in Georgia.

(Source: The Hill)

My response to this is: well, duh.

These security conferences held in Las Vegas typically feature a mix of “black hat” and “white hat” hackers, meeting semi-anonymously in a temporary truce in order to compare notes on the latest vulnerabilities in our electronically-enhanced world. This is one of those places where you’d be a fool to bring in a smartphone with WiFi enabled–it would be remotely hacked within minutes.

Electronic voting machines were designed with older technology, for a specific purpose. They display a ballot, record a vote, and tabulate. Slot machines are far more advanced than voting machines (and far more difficult to hack).

The machine that Richards learned how to hack used beneath-the-surface software, known as firmware, designed in 2007. But a number of well-known vulnerabilities in that firmware have developed over the past decade.

Any of these hackers would quickly be able to identify and exploit the vulnerabilities in individual voting machines. But the best protection these machines have is their lack of connectivity. Machines such as the ones Georgia uses print individual tapes and do not connect to a larger network.

That makes it harder for hackers to access the machines. But not impossible.

Taking care to properly “store machines, set them up, [and] always have someone keeping an eye on machines,” [CyberScout consultant Eric Hodge] said, can mitigate a wide array of security problems.

Merely following suggestions such as Hodge’s (he consults with Kentucky’s Board of Elections) might protect the machines for the short run, but in the long run a determined hacker (or state-sponsored effort) will eventually beat security (many election workers tend to be older, retired and not so technology-savvy).

Once a vulnerability is found and an exploit is crafted, it could be packaged into the memory cards given to voters, or introduced by specific “voters” to infect the machines. Hackers are very ingenious about these things. Even if only 5 or 10 percent of voting machines in key districts are infected, that can swing an entire election.

Imagine how easy it would be for hackers to defeat an Internet-based election system?

The answer is found in that old saw:  a good offense is the best defense. We can’t just dust off election machines a few times a year, use them and pack them away. We must be at least as vigilant as Las Vegas casinos are with their slot machines.

I’m not shocked in the least.

FBI Seizes Democrat Computer Equipment – But Not The Ones You Are Thinking Of

The FBI has seized hard drives in connection with an investigation into the former information technology administrator of former Democratic National Committee chair Debbie Wasserman Schulz (D-Fl.). The hard drives in question are not the ones that you are thinking of. The hardware in question is apparently unconnected to the Russian hack of the DNC.

The Daily Caller reports that hard drives belonging to Imran Awan, a Pakistani IT worker for Wasserman Schulz since 2005, were found by the new tenants of a rental home formerly occupied by Awan. The new tenants, a Marine veteran married to a Navy officer, thought the equipment looked suspicious and called the Naval Criminal Investigative Service. According to the renter, the trove contained “wireless routers, hard drives that look like they tried to destroy, laptops, [and] a lot of brand new expensive toner.”

“It was in the garage. They recycled cabinets and lined them along the walls. They left in a huge hurry,” the Marine said. “It looks like government-issued equipment. We turned that stuff over.”

The FBI an Capitol Police arrived later to confiscate the equipment and interview the couple.

Imram Awan, together with two brothers, their wives and two other friends also worked for several House Democrats. The Daily Caller reports that the group was paid more than $4 million by Democrats since 2009. The Awans and their colleagues were fired by House Democrats last March amid an investigation into theft of computer equipment and committing illegal violations of the House IT network.

Whatever is on the computer equipment, Awan is apparently desperate to get them back. The Marine renter reported that Awan, who is his landlord, threatened to sue the couple to get the items back. He says that Awan also refused to have mail forwarded to his new address.

The investigation of the Awans is still unfolding, but it may cause problems some congressional Democrats as well. In May, Wasserman Schulz demanded the return of a laptop believed to belong to Awan. The Daily Caller reported at the time that Wasserman Schulz claimed that the laptop belonged to her and asserted congressional privilege. Police have not examined the laptop, citing the Constitution’s Speech and Debate Clause, but they also did not return it. Wasserman Schulz is currently in negotiations to provide police with access to the data on the computer.

An FBI spokesman said, “FBI does not have anything to provide on this and I will still have to refer you to [Capitol Police] for any public comment.”

Trump Says ‘No Computer Is Safe’ And He’s Totally Right

Could the answer to all these people questioning why Trump’s and the RNC’s email wasn’t hacked simply be that Trump doesn’t use email and Hillary does? Could it be that simple?

President-elect Donald Trump told reporters Saturday that “no computer is safe.” He said it twice, actually, in context of casting doubt onto the U.S. intelligence community’s conclusions that Russia was behind the DNC email hacks.

Mr. Trump, who does not use email, also advised people to avoid computers when dealing with delicate material. “It’s very important, if you have something really important, write it out and have it delivered by courier, the old-fashioned way, because I’ll tell you what, no computer is safe,” Mr. Trump said.

“I don’t care what they say, no computer is safe,” he added. “I have a boy who’s 10 years old; he can do anything with a computer. You want something to really go without detection, write it out and have it sent by courier.”

In his usual hyperbole, Trump has touched on a truth well-known in cyber security circles.

“The only secure computer is one that’s unplugged, locked in a safe, and buried 20 feet under the ground in a secret location… and I’m not even too sure about that one”
— Dennis Huges, FBI.

And this from 2014, from the head of the FBI’s Pittsburgh Cyber Squad:

“Really, the only safe computer is one that’s turned off and unplugged from the Internet, and even that may not be safe,” [J. Keith] Mularski told an audience at Carnegie Mellon University on Monday evening as he and co-panelists Nicolas Christin, an information systems security expert in CMU’s Cylab, and Pittsburgh Tribune-Review investigative reporter Andrew Conte debated the pros and cons of an increasingly wired world.

Could the answer to all these people questioning why Trump’s and the RNC’s email wasn’t hacked simply be that Trump doesn’t use email and Hillary does? Could it be that simple?

I personally know this to be true, as someone who routinely dealt with classified and unclassified computer networks during my time as an Air Force contractor. The only way to be sure that no classified network traffic gets onto an unclassified network is to never plug the two things into the same device, ever. Not at the same time, and not unplugging one then plugging in the other.

And even then, with no access to things like USB thumbdrives, micro SD, or (God forbid) floppy drives or even CD-ROMs, there are ways for data to be surreptitiously moved in and out. I’m not going to tell you the ones I know, and I know better than to ask people who know for other ways I don’t know. But rest assured, there are ways.

There’s a reason the POTUS isn’t allowed to surf the web like we do (obviously there are ways for the president to get “online”) or use a smartphone. Any device directly used by POTUS becomes the world’s most desirable hacking trophy for very serious players (meaning governments). This is why I and others were so furious with Hillary Clinton for exposing the State Department to all manner of hackers, which led to a breach of the Executive Office of the President in 2014.

That hack was thought to have been carried out by the Russian government. The DNC and Clinton campaign email hack was much more parochial by cyber threat standards. The Clinton hack was a high-school “script kiddie” level phishing expedition that yielded John Podestas’s gmail password because of lax security by Clinton staffers.

The DNC hack was done through malware installed–again most likely by phishing expeditions on DNC workstations. Evidence pointing this at the Russian government is much more robust.

But some of the most compelling evidence linking the DNC breach to Russia was found at the beginning of July by Thomas Rid, a professor at King’s College in London, who discovered an identical command-and-control address hardcoded into the DNC malware that was also found on malware used to hack the German Parliament in 2015. According to German security officials, the malware originated from Russian military intelligence. An identical SSL certificate was also found in both breaches.

The evidence mounts from there. Traces of metadata in the document dump reveal various indications that they were translated into Cyrillic. Furthermore, while Guccifer 2.0 claimed to be from Romania, he was unable to chat with Motherboard journalists in coherent Romanian. Besides which, this sort of hacking wouldn’t exactly be outside of Russian norms.

So the Russians probably did the DNC hack. They may or may not have done the Clinton/Podesta hack, but let’s say there’s a good chance they did that one too. Trump’s argument about hacking is really laughable. I actually did laugh out loud when I read this quote:

He added: “And I know a lot about hacking. And hacking is a very hard thing to prove. So it could be somebody else. And I also know things that other people don’t know, and so they cannot be sure of the situation.”

Once the hack evidence has been found, it’s not really that hard to prove (that there’s been a hack and what kind). As for connecting the person behind the keyboard, or “command and control” where the data is ultimately harvested, it’s a bit harder, but it helps when there are other examples of the same address being used in the wild. As I’ve touched on before, our cyber spies probably know a whole lot more than will ever be told. It’s far more important to them to protect sources and methods than to provide a legal case against these hackers.

As Erick noted, hacking the DNC is not the same as hacking the election. Exposing Hillary’s dirty laundry while not exposing Trump’s (and plenty of Trump’s has been exposed) isn’t evidence of government-grade cyber warfare. It’s interesting that President Obama agreed with this on December 16.

I just received a couple weeks back — it wasn’t widely reported on — a report from our cybersecurity commission that outlines a whole range of strategies to do a better job on this.  But it’s difficult, because it’s not all housed — the target of cyberattacks is not one entity but it’s widely dispersed, and a lot of it is private, like the DNC.  It’s not a branch of government.  We can’t tell people what to do.  What we can do is inform them, get best practices.

But the Russians (and Chinese, and others) are very capable of striking at the heart of our government. Protecting the DNC, or the RNC, or any independent campaign is not a function of the U.S. government. Protecting our secrets is very much a priority, again, as President Obama said about one minute later:

And my approach is not a situation in which everybody is worse off because folks are constantly attacking each other back and forth, but putting some guardrails around the behavior of nation-states, including our adversaries, just so that they understand that whatever they do to us we can potentially do to them.

Obama continued:

That does not mean that we are not going to respond.  It simply meant that we had a set of priorities leading up to the election that were of the utmost importance.  Our goal continues to be to send a clear message to Russia or others not to do this to us, because we can do stuff to you.

About the response: Sometime last week, Obama changed his mind about “attacking each other back and forth” when he slapped a glove across Putin’s face by throwing out some of their spies (because of the DNC hacks)–a petty move aimed more at Trump than Russia. Putin didn’t return the favor, to highlight the pettiness of Obama’s play.

The real “stuff” we can do to the Russians is far worse than closing a couple of guest houses used by spies in Maryland and New York. In the end, I suspect the Russians (and Putin) play by the same rules Trump does. They just don’t use email for sensitive communications, which means there’s not much we can expose without going really deep into intelligence gathering methods and sources–which hurts America.

I think Trump needs to be much firmer with Russia, and stop apologizing for a nation and its dictator who clearly would love to influence America against our own interests and in favor of theirs. But Trump is also absolutely right that any computer connected to the Internet is simply unsafe–if a determined enough hacker (or government) wants to crack it. This is why we have the best cyber sleuths in the world working on our side.

The best solution, however, is to do what Trump does and mostly remain a Luddite who dictates tweets to his staff, hand writes notes with a Sharpie, and sends a limo to pick up his doctor to write a one-page memo.